Two critical patches dropped this week: Avada Builder and Ultimate Member both need updates now. A researcher also exposed a 13-year backdoor campaign across 44 WordPress plugins. On the development side, WordPress 7.1 is moving fast, with the Classic block on its way out and a native knowledge layer proposed for core.

Security: Two urgent patches and a troubling investigation

Both Avada Builder and Ultimate Member shipped critical fixes this week. Update both now.

The Avada Builder flaw lets an unauthenticated attacker delete files on your server. We covered it when the patch landed last Friday. Triggering it requires no special setup, so treat this as a priority update.

Ultimate Member’s flaw is equally serious. Versions 2.11.4 and earlier let contributor-level users trigger a password reset for any account on your site, including admin accounts. Contributor-level accounts are the ones you give to writers and regular commenters. Version 2.12.0 closes the hole. The plugin has more than 200,000 active installations.

A third story put a number on something the community has long suspected. A developer traced a 13-year supply chain attack to a single operator who used 19 WordPress.org accounts, multiple fake brand names, and a Cyprus shell company to plant backdoors in 44 plugins. Several of those plugins posed as security tools. The WordPress Plugins Team confirmed the real count is higher still.

Block Editor: The Classic block begins its exit

WordPress 7.1 will hide the Classic block from the block inserter. Our full breakdown has the details. The short version: any Classic blocks already on your pages keep working exactly as before. You just cannot add new ones once 7.1 ships in August.

The Classic block loads a separate legacy editing interface, TinyMCE, on every post screen, whether or not your site uses it. Removing it from the inserter is the first step toward making TinyMCE fully opt-in, which cuts one of the heaviest assets WordPress ships to the editor. Full removal may come as early as WordPress 7.2.

The Classic Editor plugin, which has more than 9 million active installations, is not affected.

AI: A knowledge layer proposed for WordPress core

The WordPress AI team has published a merge proposal to add a new content type and a Guidelines feature to WordPress 7.1. We covered the proposal in detail earlier this week.

The idea is to give sites a native place to store editorial standards. Most sites already have content rules, but they live in shared documents or someone’s inbox. Guidelines gives them a home inside WordPress, available to editors while writing and to AI tools that need site context to work properly.

The storage layer is a new content type called wp_knowledge, designed to prevent fragmentation. Without it, every plugin that stores AI context or editorial rules ships its own content type and access rules. That leads to dozens of parallel implementations doing the same job. The team compares this to how wp_template and wp_block each resolved a similar coordination problem. Community feedback is open until the July 15 beta freeze. Some contributors have questioned the timing, pointing to long-standing feature requests still in the queue.

Commerce & Performance: WooCommerce and WP Rocket

WooCommerce 10.9 adds a log for failed order emails, so you can see when a purchase confirmation never reached a customer. The release also reduces database load at checkout and cleans up several admin screens. Steady maintenance work rather than a headline feature, but the kind that cuts daily friction.

WP Rocket 3.22 adds a free built-in CDN covering up to three pages. Point it at your highest-traffic URLs, and visitors far from your server will load those pages from a location closer to them. It is not a full CDN replacement, but for a landing page or your homepage, it delivers a real speed improvement with no extra cost.

Business: Plugin delay concerns and a lawsuit update

WordPress.org’s Protect the Shire initiative holds plugin and theme updates for up to 24 hours before they appear in the WordPress dashboard. That delay has drawn sustained pushback from plugin developers and site owners.

The concern is specific. When a developer ships a security fix, the patched code and changelog appear on WordPress.org immediately. But the update is held back for up to 24 hours. During that window, attackers can study the changelog, understand exactly what was fixed, and start exploiting unpatched sites. Several large plugin developers have raised this directly with WordPress.org, including Elementor, whose plugins sit on more than 11 million sites.

In the WP Engine vs. Automattic lawsuit, a court ruled this week that Slack messages where Automattic executives discussed trademark enforcement strategy are protected by attorney-client privilege. That protection prevents confidential lawyer-client communications from being used in court. Those messages will not be disclosed in discovery. The court also denied Automattic’s motion to force WP Engine to produce records related to the ACF plugin. Both sides argued their motions to dismiss the underlying case before the trial judge.

Community: Om Malik

Om Malik, who founded GigaOm and later became a partner at True Ventures, died Wednesday at Stanford Hospital at 59. For the WordPress community, his role went beyond tech journalism. Malik was one of WordPress’s earliest users and personally connected Matt Mullenweg with Automattic’s founding CEO and with the project’s first investors. Mullenweg called him “my best friend and brother from another mother” in a tribute on his blog. A celebration called OmFest is planned for September 29 in San Francisco, what would have been Malik’s 60th birthday.

End of article